Article Content

Article Number

000022446

Applies To

RSA ClearTrust Agent 4.6 for ApacheMicrosoft Windows 2000 Server SP4

Issue

RSA ClearTrust Agent 4.6 for Apache decodes CGI parameters in URLRSA ClearTrust Agent 4.6 for Apache hot fix level 4.6.0.59 or newer behaves differently than level 4.6.0.40cleartrust.agent.retain_url.use_query_string is set to truecleartrust.agent.retain_url.preserve_query_string is set to trueURL retention not working as expected when using URL query string for URL retentionCGI parameters decoded

Resolution

If cleartrust.agent.retain_url.use_query_string is set to True and cleartrust.agent.retain_url.preserve_query_string is also True, RSA ClearTrust Agent 4.6 for Apache should preserve the original URL. This is an example showing the erroneous behavior. Assuming the first URL is a ClearTrust-protected resource and the parameters mentioned above are set, after authentication the user will be redirected to the second URL listed below. As you can see, the parameters passed to the CGI scripts were decoded, even if they shouldn't have been.

This issue was originally fixed in RSA ClearTrust Agent 4.6.0.40 for Apache, but was reintroduced in RSA ClearTrust Agent 4.6.0.59 for Apache. Now this issue has been resolved in hot fix 4.6.0.91 for RSA ClearTrust Agent 4.6 for Apache. Contact RSA Security Customer Support to obtain hot fix 4.6.0.91, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels).

NOTE: A workaround to this problem is to use cookies for URL retention; simply set the cleartrust.agent.retain_url.use_query_string to false